SSN 746-7659, Engand, UK Journa of nformation and Computing Science Vo., No. 4, 007, pp. 5-60 Secure nformation Fow Based on Data Fow Anaysis Jianbo Yao Center of nformation and computer, Zunyi Norma Coege, Zunyi, Guizhou, 56300, China (Received December, 006, accepted 9 Apri 007 Abstract. The static anaysis of secure information fow has been studied for many years. The existing methods tend to be overy conservative or to be overy attention to ocation information eak. This paper uses data fow anaysis to dea with secure information fow. Two variabes of dynamic update security eves were introduced. The program is secure without any variabe of downgrade security eve at exit of a program. The anaysis can dea with more secure programs. The soundness of the anaysis is proved. Keywords: secure information fow, data fow anaysis, static anaysis, forma semantics. ntroduction The static anaysis of secure information fow has been studied for many years[]. The anaysis of secure information fow is that check whether the information fow of a given program is secure. Secure information fow ensures the noninterference, that is, observations of the initia and fina vaues of owsecurity variabes do not provide any information about the initia vaue of high-security variabes. Consider a program whose variabes are partitioned into two disjoint tupes H (secret and L (pubic. The program is secure if examinations of the initia and fina vaues of any L variabe do not give any information about the initia vaues of any H variabe. For exampe, the program H : = L is secure since the vaue of L is independent of initia vaue of H. Simiary, the program L : = 8 is secure, because the fina vaue of L is aways 8, regardess of the initia vaue of H. However, the program L: = H is not insecure since the vaue of H can be observed as the fina vaue of L. the fow of information from H to L is caed expicit. We ca this expicit eak from H to L. The program if H then L : = 0 ese L : = is insecure, despite each branch of the conditiona is secure, H is indirecty copied into L. the fow of information from H to L is caed impicit. We ca this impicit eak from H to L. A secure program may have some ocation information eak. For exampe, in each of four programs L: = H ; L : = 8 H : = L ; L: = H L: = H ; L: = L H if fase then L: = H end athough existing ocation information eak L: = H, the four program are a secure. The existing methods tend to be overy conservative, giving insecure answers to many secure programs, or to be overy attention to ocation information eak, existing ocation information eak does not Pubished by Word Academic Press, Word Academic Union
Journa of nformation and Computing Science, (007 4, pp 5-60 53 impy there is information eak in a program. n this paper, the data fow anaysis is used to dea with secure information fow. The anaysis proposed in this paper is more precise than the existing syntactic approaches. However, since the anaysis is syntactic in nature, it cannot be as precise as the Joshi-Leino s and Sabefed-Sands semantic approaches [6,7] or, Darvas-Hahne-Sands theorem proving approach. [8] The rest of the paper is organized as foows: Section informay describes the probem of secure information fow using some simpe exampes. Section 3 presents the syntax and semantics of Whie anguage. Section 4 expains how to construct the fow graph and then shows data fow equations for detecting information eaks. Section 5 proves the soundness of the anaysis. Section 6 concudes. The Denning-Denning s origina method[9], the Mizuno-Schmidt s data fow anaysis[] and the Vopano-Smith s type-system a assert that above four programs are insecure. Doh-Shin s data fow anaysis caim that it can sove the probem of program and program, but in fact, it ony can sove the secure probem of program. Our anaysis in the paper certifies that above four programs are a secure[6].. Syntax and Semantics n this paper, we sha consider an imperative anguage core[0], Whie. n order to identify statements and tests in a Whie program, we give a unique abe to each of the assignments, skip statements, and tests. Syntax Domain: a AExp arithmetic expressions b BExp Booean expressions S Stmt statements x Var variabes Lab abes Abstract Syntax: S = [x:=a] [skip] S ;S if [b] then S ese S whie [b] do S Configurations and Transitions: A state is defined as a mapping from variabes to integers: State = Var Z A configuration of the semantics is either a pair S, or, where S Stmt and State. A termina configuration consists ony of a state. The transition of the semantics shows how the configuration is changed by one step of computation and is represented as one of the foowings: S, and S, S, For arithmetic and Booean expressions, a and b, we assume that the semantic functions are defined as foows: A : AExp State Z B : BExp State T where Z is the set of integers and T is the set of truth vaues. Structura Operationa Semantics: [ ass ] [ x: = a], [ x A a ] [ skip ] [ ], skip [ seq ] S, S, S ; S, S ; S, JC emai for subscription: pubishing@wau.org.uk
54 J. Yao: Secure nformation Fow Based on Data Fow Anaysis [ ] [ ] [ ] [ seq ] S, S ; S, S, if if [b] then S ese S, S,, if B b = true if if [b] then S ese S, S,, if B b = fase wh whie [b] do S, S; whie [b] do S,, if B b = true [ ] 3. Secure nformation Fow Anaysis wh whie [b] do S,, if B b = fase n this section, we use the data fow anaysis to dea with secure information fow[3,]. We first define the suitabe fow graph of Whie programs, and then formuate data fow equations for the anaysis. 3.. The Fow Graph The fow graph is defined in the stye of Nieson-Nieson-Hankin s book[8]. n order to anaysis the secure information fow, we need expicity add to the fow graph an impicit fow from a test bock to each statement bock in the conditiona branch or in the whie-oop body, in addition to the norma contro fow. A fow graph consists of the set of eementary bocks and the set of (contro and impicitfows between bocks. More formay, the fow graph for a Whie statement S is defined to be a quintupe: fowgraph(s = (bock(s, fow(s, fow (S, init(s, fina(s where each of the functions are defined beow. Let Bocks be the set of eementary bocks of form [ x : = a],[ skip ] or [ ] function bocks finds the set of eementary bocks in a given statement: bocks : Stmt P( Bocks bocks ( if [ ] then S ([ : ] = = [ : = ] ([ ] = {[ ]} bocks x a x a bocks skip skip (, = bocks S S bocks S bocks S b ese S = [ ] bocks ( whie [ b ] do S = [ ] { b } bocks ( S bocks ( S { b } bocks( S b where Lab. Then the A fow graph aways has a singe, but it may have mutipe exits due to conditiona statements. Thus the function init returns the initia abe of a give statement: init : Stmt Lab ([ : ] ([ ] init x = a = init skip = init( S ; S = init( S init ( if [ ] b then S ese S = init ( whie [ ] b do S = The function fina returns the set of fina abes of a given statement: fina : Stmt P( Lab JC emai for contribution: editor@jic.org.uk
Journa of nformation and Computing Science, (007 4, pp 5-60 55 ([ : = ] = {} ([ ] = {} fina x a fina skip fina S ; S = fina( S fina ( if [ b] then S ese S = fina ( S fina ( whie [ b ] do S = { } fina( S The function fow returns contro fows between bocks in a given statement: fow: Stmt P( Lab Lab ([ : ] ([ ] fow x = a = φ fow skip = φ { ( ( } {} { } ( ; = ( ( (, ( fow S S fow S fow S init S fina S fow ( if [ ] then S fow( S fow( S, init S,, init S b ese S = fow ( whie [ ] do S = fow( S, init S, fina S b The function fow defines the impicit fows in a given statement: fow : Stmt P( Lab Lab fow x = a = φ ([ : ] ([ ] fow skip = φ fow S ; S = fow ( S fow ( S fow ( if [ b ] then S ese S = { } { } { } fow ( S fow ( S, B bocks( S, B bocks( S fow ( whie [ do S = fow ( S, B bocks( S For exampe, consider the Power program: we have b ] 4 3 [ z: = ] ; whie[ x> 0 ] do [ z: = z y] ;[ x: = x ] = (,,,, fowgraph Power bocks S fow S fow S init S fina S = ( [ z: = ],[ x> 0 ],[ z: = z y] 3,[ x: = x ] 4, { },3,, 4,,{ },,,3,3,4,4,, 3.. The Anaysis Assume information ony have two security eves H and L. Each variabe x in a program is initiay bound to a security eve, which is denoted by underine, x. x denotes a L variabe x which security eve is upgrade after coping s H variabe to a L variabe x; x denotes a H variabe x which security eve is JC emai for subscription: pubishing@wau.org.uk
56 J. Yao: Secure nformation Fow Based on Data Fow Anaysis downgrade after coping L variabe to a H variabe x. x denotes a impicit H variabe when x is a H variabe in test bocks. The anaysis is defined as foow: where where where ( { } gen : B ocks P x, x, x : L L ([ : = ] = { },{ } gen x a x x,φ { < } { x z FV ( a, z : =, x, x < y } { x y { x}, x: = y, x < y} { x } = { x x = H; y FV( a, y = L, y { x }} ([ : ] genl x = a = ( φφφ,, if never execute [ x : = a] genl ([ skip] = ( φ, φφ, genl ([ b] = ( φφ,,{ x } { x } = x y FV( a, y { x }, x y y z { x} = x x FV( b, x = H, x { x } { x y FV( a, y: = x, x = H} kil : Bocks P( { x },{ x },{ x } : nformation Low Equations: L = : L ([ : = ] = { },{ } ki x a x x,φ x = { x y FV( a, y = H y x } ([ : = ] = ( φφφ,, if never execute [ : = ] kil ([ skip] = ( φ, φφ, kil ([ b] = ( φ, φφ, { x } = x y FV( a, y = L ( y H L ki x a x a ( φφφ,, if ( = init S L ( = x x x, otherwise ( { (,, { } ( fow( S fow ( S ( } ({ x} \{ x} { x} ki gen ( L = x \ x x, x \ x x, exit Exampe.Consider the foowing program: ki gen ki gen JC emai for contribution: editor@jic.org.uk
Journa of nformation and Computing Science, (007 4, pp 5-60 57 [ ] [ ] x: = y ; x: = z, where y = H and x=z=l. L ( = ( φ, φφ, ( φ φ ( φ φ L x,, exit ( = { } = { } L x,, Lexit ( = ( φ, φφ, x is kied at the exit of bock, at the termination of the program, x=z=l is not reation with y= H. Thus the program is secure. Exampe.Consider the foowing program: [ ] [ ] y: = x ; x: = y, where y = H and x=l. L Lexit L Lexit ( = ( φ, φφ, ( φ ( φ ( φ ( = φ, { x }, = φ { x } ( = φ, { x },,, at the termination of the program, x=l is not reation with y= H. Thus the program is secure. Exampe 3.Consider the foowing program: [ ] [ ] x : = y ; x: = x y, where x = L and y: = H. L ( = ( φ, φφ, ( φ φ ( φ φ L x,, exit ( = { } = { } L x,, Lexit ( = ( φ, φφ, at the termination of the program, x=l is not reation with y= H. Thus the program is secure. Exampe 4.Consider the foowing program: [ ] [ ] if fase then x : = y end, where x=l and y = H L Lexit L Lexit ( = ( φ, φφ, ( = ( φ, φφ, ( = ( φ, φφ, ( = ( φ, φφ, at the termination of the program, x=l is not reation with y= H. Thus the program is secure. 4. The Soundness as Noninterference n this section, we prove that the anaysis is sound by proving our anaysis noninterference property[]. Theorem. Given a Whie program S, for each bock B bocks( S, we et JC emai for subscription: pubishing@wau.org.uk
58 J. Yao: Secure nformation Fow Based on Data Fow Anaysis ( ( = { },{ }, L x x x ( = { },{ }, L x x x exit exit exit exit N( is the set of a variabes having L vaues at the of bock having L vaues at the of bock and ( ( B. ( = {, = } \{ } \{ } { } X ( = { x x Var, x = L} \{ x } { x } N x x Var x L x x x if S, S, and then there exists N init S ( such that S, S, and, and N init S ( B, X ( is the set of a variabes ( N init S if S, and then there exists such that S, and N init S ( Proof: The proof is by induction on the shape of the inference tree used to estabish S,, respectivey. The case [ ass ]. Then [ : ], x = a x A a, and we have { x } = { x } \{ x } { x } exit ki gen = { x } \{ x } { x y FV ( a, y { x }, x < y } ki { x z FV ( a, z : = y, z { x }, x < y } { x y x, x: = y, x < y} { x } = { x } \{ x } { x } exit ki gen = { x } \{ x } x x = H ; y FV ( a, y = L, y { x } Since information fow is secure, this is { x Therefore, we have and thus ki } exit = φ, then { x } = φ. Thus we get gen,, y FV a y x y = L z FV a y x y = L { x } = φ = { } gen X N x N A a = A a ( impies because the vaue of a is ony affected by the L variabes occurring in it. Taking = x A a we have that ( x = ( x and thus ( x ( ( x X as required. S, S, JC emai for contribution: editor@jic.org.uk
Journa of nformation and Computing Science, (007 4, pp 5-60 59 The case [ skip ]. Then [ ], and we take to be. skip, we have = N X The case [ seq ]. Then by the induction hypothesis, because ( x ( ( x N init S ( x ( x, Since init ( S ; S init ( S init S ; S = init S N init S ( = and ( ( concude: ( x N( init( S ; S ( x impies ( x and where The case [ seq ]. Simiar to The cass [ ] The case [ Hence, we have Hence, we have ]. Then seq. x. N( init( S ; S if b then S ese S,, because if [ ] S N x x Var x L x x x ( [ ] b =, = \ \ then S and S init if init = {, = } \{ } \ S { } \{ } { } N x x Var x L x x x b x { x ( b } = { x y FV( b, y: = x, x = H} N init [ ] init S The case [ if ]. Simiar to The cass [ if ]. The case [ wh ]. Simiar to The cass [ if ]. N ( if b then S ese S ( x N( init( S ( x impies, we can immediatey This competes the proof. Finay, we have an important coroary which states that noninterference is preserved throughout the execution of the entire program. Coroary : Under the same assumption as Theorem. then ( (not yet terminated programs ( (terminated programs 5. Concusion if S, S, and then there exists N init S ( such that S, S, and, and N init S ( ( N init S if S, and then there exists such that S, and for some fina S. N ( This paper uses data fow anaysis to dea with secure information fow. The anaysis proposed in this paper is more precise than the existing syntactic approaches. The anaysis is proved to be sound by proving JC emai for subscription: pubishing@wau.org.uk
60 J. Yao: Secure nformation Fow Based on Data Fow Anaysis our anaysis noninterference property. 6. References [] A. Sabefed and A. C. Myers. Language-based information-fow security. EEE J. Seected Areas in Communication, 003, (. [] Dennis Vopano, Geoffrey Smith. A Type-Based Approach to Program Security. Proceeding of TAPSOFT 97, cooquium on Forma Approaches in Software Engineering, Lie France, 4-8 Apri, 997. [3] Dennis Vopano, Geoffrey Smith, Cynthia rvine. A Sound Type System for Secure Fow Anaysis. Journa of computer security. 996, 9. [4] M. Mizuno and D. A. Schmidt. A security fow contro agorithm and its denotationa semantics correctness proof. Forma Aspects of Computing, 99, 4: 7-754. [5] Kyung-Goo Doh and Seung Cheo Shin. Data Fow Anaysis of Secure nformation-fow. ACM SGPLAN Notices. 00, 37(8. [6] R. Joshi and K. R. M. Leino. A semantic approach to secure information fow. Science of Computer Programming, 000, 37: 3-38. [7] A.Sabefed and D. Sands. A per mode of secure information fow in sequentia programs. Higher-Order and Symboic Computations, 00, 4: 59-9. [8] A. Darvas, R.Hahne and D. Sands. A Theorem Proving Approach Anaysis of Secure nformation Fow. Technica Report, no. 004-0. [9] D. Denning, P. Denning. Certification of Programs for Secure nformation Fow. Communications of the ACM, 977, 0(7: 504-53. [0] Hanne Riis Nieson and Femming Nieson. Semantics with Appications a Forma ntroduction. Juy, 999. [] F. Nieson, H. R. Nieson and C. Hankin. Principes if Program Anaysis. Springer.999. JC emai for contribution: editor@jic.org.uk